This page describes access control with Identity and Access Management (IAM) in Secure Source Manager.
Overview
IAM permissions and roles determine your ability to create, view, edit, or delete data in a Secure Source Manager instance.
A role is a collection of permissions. You can't grant a principal permissions directly; instead, you grant them a role. When you grant a role to a principal, you grant them all the permissions that the role contains. You can grant multiple roles to the same principal.
Grant predefined Secure Source Manager roles
Every Secure Source Manager API method requires that the principal (user, group, or service account) making the request has the required permissions to use the resource. Permissions are given to principals by setting policies that grant the principal a predefined role on the resource.
Secure Source Manager roles are not visible in the Google Cloud console until you have assigned each role to a principal. For information on granting roles on Secure Source Manager instance and repository resources, see Grant and revoke IAM roles.
Secure Source Manager Permissions
The following table describes the permissions available in Secure Source Manager predefined roles.
Permission | Description |
---|---|
securesourcemanager.instances.access |
Access the Secure Source Manager instance via UI, HTTP API and git protocol (HTTP,SSH). This is used for controlling access to the instance. |
securesourcemanager.instances.createRepository |
Add Git repository resources in a Secure Source Manager instance. |
securesourcemanager.instances.create |
Create an instance |
securesourcemanager.instances.get |
Get details of an instance, such as the creation time. |
securesourcemanager.instances.delete |
Delete an instance. |
securesourcemanager.instances.update |
Update the parameters of an instance. |
securesourcemanager.instances.setIamPolicy |
Set IAM policies on an instance. |
securesourcemanager.instances.getIamPolicy |
Retrieve IAM policies on an instance. |
securesourcemanager.sshkeys.create |
Add an SSH key to an instance. A user can only add an SSH key for themselves. |
securesourcemanager.sshkeys.createAny |
Add a service account SSH key to an instance. The user must also have
the .actAs permission on that service account. |
securesourcemanager.sshkeys.list |
List SSH keys that belong to the instance. A user can only list SSH keys that they own. |
securesourcemanager.sshkeys.listAny |
List SSH keys that belong to the instance. A user can list all SSH service account keys in the instance. |
securesourcemanager.sshkeys.get |
Get SSH keys that belong to the instance. A user can only get SSH keys they own. |
securesourcemanager.sshkeys.delete |
Remove an SSH key from an instance. A user can only remove an SSH key for themselves. |
securesourcemanager.repositories.update |
Update repository metadata. |
securesourcemanager.sshkeys.deleteAny |
Remove a service account SSH key from an instance. A user with this permission can remove any service account SSH key in the instance. |
securesourcemanager.repositories.create |
Create a Secure Source Manager repository. |
securesourcemanager.repositories.list |
List the metadata for repositories in a project. |
securesourcemanager.repositories.get |
Get the metadata of a repository. |
securesourcemanager.repositories.fetch |
Git clone/fetch a repository. |
securesourcemanager.repositories.push |
Git push to a repository. |
securesourcemanager.repositories.delete |
Delete a repository. |
securesourcemanager.repositories.setIamPolicy |
Grant or remove repository roles or permissions to users, service accounts, and groups. |
securesourcemanager.repositories.getIamPolicy |
View repository roles and permissions. |
securesourcemanager.repositories.testIamPermissions |
Test whether a principal has a specified permission on a repository. |
securesourcemanager.repositories.readIssues |
Read-only operations on the issues section of a repository in the Secure Source Manager web interface. |
securesourcemanager.repositories.writeIssues |
Write operations on the issues section of a repository in the Secure Source Manager web interface. |
securesourcemanager.repositories.readPullRequests |
Read-only operations on the pull requests section of a repository in the Secure Source Manager web interface. |
securesourcemanager.repositories.writePullRequests |
Write operations on the pull request section of a repository in the Secure Source Manager web interface. |
Secure Source Manager predefined roles
In addition to the project and folder level, Secure Source Manager IAM roles can be granted on the instance and repository resources.
To view all predefined Secure Source Manager roles and the permissions available in each role, see the IAM basic and predefined roles reference.
Instance Roles
Instance roles give principals permissions on the Secure Source Manager instance. Repository roles are granted separately.
Repository Roles
Repository roles give principals permissions on Secure Source Manager repositories.
Custom roles
In addition to the predefined roles, Secure Source Manager also supports custom roles. For more information, see Creating and managing custom roles in the IAM documentation.
Repository role management
The following sections describe required roles for common repository actions.
Manage repositories
To get the permissions that you need to create, delete, and add users to a Secure Source Manager repository, ask your administrator to grant you the following IAM roles:
-
Secure Source Manager Instance Repository creator (
roles/securesourcemanager.instanceRepositoryCreator
) on the Secure Source Manager instance -
Repo Admin (
roles/securesourcemanager.repoAdmin
) on the repositories you want to manage
Create repositories
To get the permissions that you need to create repositories in a Secure Source Manager instance, ask your administrator to grant you the following IAM roles:
-
Secure Source Manager Instance Repository creator (
roles/securesourcemanager.instanceRepositoryCreator
) on the Secure Source Manager instance -
Secure Source Manager Repo Creator (
roles/securesourcemanager.repoCreator
) on the Google Cloud project
View a repository
To get the permissions that you need to view a repository, ask your administrator to grant you the following IAM roles:
-
Secure Source Manager Instance Accessor (
roles/securesourcemanager.instanceAccessor
) on the Secure Source Manager instance -
Secure Source Manager Repo Reader (
roles/securesourcemanager.repoReader
) on the repository
Use a repository and create issues and pull requests
To get the permissions that you need to push to and pull from a repository, create issues and pull requests, ask your administrator to grant you the following IAM roles:
-
Secure Source Manager Instance Accessor (
roles/securesourcemanager.instanceAccessor
) on the Secure Source Manager instance -
Secure Source Manager Repo Writer (
roles/securesourcemanager.repoWriter
) on the repository
What's next
- Learn more about managing access in Google Cloud with the IAM overview.
- Grant Secure Source Manager IAM roles.
- Authenticate to Secure Source Manager programmatically.